CVE Catalog

CVE-2026-10562

MediumCVSS 5.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.30%

21th percentile — higher than 21% of all known CVEs

Summary

An unauthenticated URL redirection vulnerability has been identified in Archer AX20 V2 due to improper validation of user-supplied URL input within the web interface. An unauthenticated attacker can craft URLs containing URL-encoded path traversal sequences, which when processed by the embedded web server may cause the device to respond with HTTP 3xx redirects to attacker-controlled external domains.

Risk Assessment

The risk involves potential use of the device for phishing or other social engineering attacks, where victims are redirected to malicious sites without their knowledge, potentially leading to data theft or malware infection.

Recommendation

It is recommended to immediately update the Archer AX20 V2 firmware to a version newer than 2.1.9 Build 20230829 as soon as a patch is available from the vendor, and restrict access to the web interface to trusted networks only.

Original NVD description (English source)

An unauthenticated URL redirection vulnerability has been identified in Archer AX20 V2 due to improper validation of user-supplied URL input within the web interface.  An unauthenticated attacker can craft URLs containing URL-encoded path traversal sequences. When processed by the embedded web server, these inputs may cause the device to respond with HTTP 3xx redirects to attacker-controlled external domains. This issue affects Archer AX20 V2.0: through 2.1.9 Build 20230829.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS